Non-Compliance Lesson No. 3: Don't upgrade or patch your old stuff
By David Gamey - 07 Dec 2021.
PCI DSS can be hard and not preparing for it just makes things harder. Following this advice is guaranteed to make it both more exciting and painful.
- Don’t upgrade your end-of-life software, it’s fine. After all it’s not like you won’t be able to upgrade overnight when a zero-day gets published. Besides the vendor's sure to provide a patch.
- Don’t patch those pesky middle and high-risk items on internal networks. It’s not like an intruder will try and move laterally through your network.
- Ignore those network and security appliances. You didn’t install the OS and who ever heard of firmware vulnerabilities.
- You’re only doing this for a PCI checkbox, your assessor may not notice, and it isn’t like you should be worried about ransomware.
- Sleep better at night, it's run fine for years and just look at all the time, money, and effort you saved.
Seriously, if you want your assessment to be smooth and boring you may find these articles useful.
- Payment Data Security Essential: Patching https://www.pcisecuritystandards.org/documents/Payment-Data-Security-Essential-Patching.pdf
- Ransomware Resource Guide https://www.pcisecuritystandards.org/pdfs/PCISSCRansomwareResourceGuide.pdf
- FAQ#1130 Are operating systems that are no longer supported by the vendor non-compliant with the PCI DSS? https://pcissc.secure.force.com/faq/articles/FrequentlyAskedQuestion/Unsupported-OS
- FAQ #1427 Are OEMs and/or hardware/software resellers subject to PCI DSS Requirements 12.8 and 12.9? https://pcissc.secure.force.com/faq/articles/FrequentlyAskedQuestion/Are-OEMs-and-or-hardware-software-resellers-subject-to-PCI-DSS-Requirements-12-8-and-12-9
- All Known Published PCI FAQs indexed in one place https://controlgap.com/index-pci-frequently-asked-questions/
- Reporting Requirements https://www.pcisecuritystandards.org/documents/PCI-DSS-v321-ROC-Reporting-Template.pdf
- PCI Compliance and the Intel AMT (firmware) Vulnerability https://controlgap.com/blog/pci-compliance-intel-amt-vulnerability
If you'd like more entertaining reads, try these:
- Non-Compliance Lesson No. 1: Wait until your assessment to validate scope https://controlgap.com/blog/Non-Compliance-Lesson-No-1
- Non-Compliance Lesson No. 2: Outsource your payments/security and don't read the fine print https://controlgap.com/blog/Non-Compliance-Lesson-No-2
- The ENTITY (a scary PCI monster) https://controlgap.com/blog/the-entity-a-scary-pci-monster
If You Need Help
Compliance can seem as dry as toast. Normally, it only gets exciting when things go wrong like when you find problems during an annual assessment, facing a looming deadline, with senior management breathing down your neck expecting a pass. Last minute discovery of problems gets extremely stressful. Failure becomes an option. Remediation is not guaranteed and can often be risky, sub-optimal, and expensive.
PCI DSS has 12 high-level requirements and over 250 sub-requirements each of which is an opportunity for failure. The kinds of challenges we describe are often avoidable and manageable. After all, PCI is an open book exam and there should be no excuse for not being prepared. If you are struggling with business-as-usual compliance, or have challenges, we can help.